Need Basic NAT Config example.

Answered Question
Nov 6th, 2008

I need a working sample config based on these simple details:

Outside 172.16.1.2 255.255.255.0 level 0

Inside 192.168.0.3 255.255.255.0 level 100

DMZ 192.168.154.1 255.255.255.0 level 50

Web1 172.16.1.7 need to map to DMZ 192.168.154.7 smtp, https

Web2 172.16.1.24 need to map to inside 192.168.0.4 DNS https

1. I would like the inside network to be able to reach any server in the DMZ any service. Also be able to reach the web pages.

2. I would like the DMZ to pass only limted information like port http but I can build from any rule that works.

3.I would like to be able to browse the internet from the DMZ and inside.

I will rate high on any working configurations. I will rate each unique example using varied Nat types.

I have this problem too.
0 votes
Correct Answer by John Blakley about 8 years 2 weeks ago

You have an acl:

access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0

But you're not allowing traffic back in:

permit ip 192.168.0.0 255.255.255.0 any

If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.

HTH

--John

Correct Answer by Jon Marshall about 8 years 3 weeks ago

John

static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255

static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255

static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255

static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255

1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

You don't need an acl because it is going from inside to DMZ

2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80

This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.

3) nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.154.0 255.255.255.0

global (outside) 1 interface

Again you don't need acl because you are going from higher to lower security level interfaces.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 11/06/2008 - 13:55

John

static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255

static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255

static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255

static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255

1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

You don't need an acl because it is going from inside to DMZ

2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80

This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.

3) nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.154.0 255.255.255.0

global (outside) 1 interface

Again you don't need acl because you are going from higher to lower security level interfaces.

Jon

John.OuYang Fri, 11/07/2008 - 09:26

This doesn't appear to be working. Can you create a show running-config that I can build from?

Jon Marshall Fri, 11/07/2008 - 09:34

John

Could you be a bit more specific - which bits work and which don't. If none of it works then can you check basics such as both interfaces are up etc.

Jon

John.OuYang Fri, 11/07/2008 - 11:54

I am unable to pass any traffic to the DMZ from the inside. I can't pass any traffic from the DMZ to the inside...on specific ports and open to any. All interfaces are up.

I cl xlate

I wonder if the default from a higher security to a lower security rules are working.

All I can do is browse the internet.

I guess I could try another asa 5510.

I do appreciate the help.

husycisco Fri, 11/07/2008 - 12:11

Hello John,

Please post your running config and let us advise on config

Regards

John.OuYang Mon, 11/10/2008 - 13:13

Here is a copy of the running config on the asa5510. I built it based on the information Jon provided. No traffic is passing. I expected to be able to RDP or reach the c drive of server in the dmz from an inside PC.

John

risenshine4th Wed, 11/12/2008 - 12:45

I've started over several times. I seem to be getting back to the same place...

Can browse internet from DMZ or Inside PC's

I just can't seem to pass any traffic between them.

I even put all interfaces in one pool to allow access to allow dynamic translation to the dmz and outside...translation from the dmz to inside and outside interface pools.

What am I missing?

Correct Answer
John Blakley Wed, 11/12/2008 - 14:11

You have an acl:

access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0

But you're not allowing traffic back in:

permit ip 192.168.0.0 255.255.255.0 any

If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.

HTH

--John

John.OuYang Fri, 11/14/2008 - 12:47

Exactly what I was missing.

It shows this rule in the ASDM Rules but this ACL is clearly missing from the ACL Manager.

Kind of odd. I thought that ACE's and that defined access rules were the same thing for Dmz incoming rules. So it must be a wired error for one to exist without the other.

John

Actions

This Discussion